# vi: ft=yaml
version: "3.7"

networks:
  traefik:
    external: true

configs:
  services:
    external: true
    name: "{{ services.config_name }}"

volumes:
  acme:
    driver_opts:
      type: "nfs"
      o: "addr=192.168.30.10,nolock,soft,rw"
      device: ":/mnt/data/traefik/acme"

services:
  traefik:
    image: traefik:3.0
    networks:
      - traefik
    ports:
      - 443:443
      - 80:80
      - 444:444
    deploy:
      placement:
        constraints:
          - node.role == manager
      labels:
        - traefik.enable=true
        - traefik.http.routers.dashboard.entrypoints=localsecure
        - traefik.http.routers.dashboard.rule=Host(`traefik.pim.kunis.nl`)
        - traefik.http.routers.dashboard.service=api@internal
        - traefik.http.services.dummy-svc.loadbalancer.server.port=8080
        - traefik.http.routers.dashboard.tls=true
        - traefik.http.routers.dashboard.tls.certresolver=letsencrypt
        - traefik.docker.network=traefik

        - traefik.http.routers.esrom.entrypoints=websecure
        - traefik.http.routers.esrom.service=esrom@file
        - traefik.http.routers.esrom.rule=Host(`geokunis2.nl`)
        - traefik.http.routers.esrom.tls=true
        - traefik.http.routers.esrom.tls.certresolver=letsencrypt

        - traefik.http.routers.uptime.entrypoints=localsecure
        - traefik.http.routers.uptime.rule=Host(`uptime.pim.kunis.nl`)
        - traefik.http.routers.uptime.service=uptime@file
        - traefik.http.routers.uptime.tls=true
        - traefik.http.routers.uptime.tls.certresolver=letsencrypt

        - traefik.http.routers.ntfy.entrypoints=websecure
        - traefik.http.routers.ntfy.rule=Host(`ntfy.pim.kunis.nl`)
        - traefik.http.routers.ntfy.service=ntfy@file
        - traefik.http.routers.ntfy.tls=true
        - traefik.http.routers.ntfy.tls.certresolver=letsencrypt

        - traefik.http.routers.apprise.entrypoints=localsecure
        - traefik.http.routers.apprise.rule=Host(`apprise.pim.kunis.nl`)
        - traefik.http.routers.apprise.service=apprise@file
        - traefik.http.routers.apprise.tls=true
        - traefik.http.routers.apprise.tls.certresolver=letsencrypt

        - traefik.http.routers.concourse.entrypoints=websecure
        - traefik.http.routers.concourse.rule=Host(`ci.kun.is`)
        - traefik.http.routers.concourse.service=concourse@file
        - traefik.http.routers.concourse.tls=true
        - traefik.http.routers.concourse.tls.certresolver=letsencrypt
    volumes:
      - type: bind
        source: /var/run/docker.sock
        target: /var/run/docker.sock
      - type: volume
        source: acme
        target: /acme
        volume:
          nocopy: true
    configs:
      - source: services
        target: /etc/traefik/services.yml
    command:
      - --providers.docker
      - --providers.docker.swarmmode
      - --providers.docker.watch
      - --providers.docker.exposedbydefault=false

      - --providers.file.filename=/etc/traefik/services.yml

      - --api
      - --api.insecure=false
      - --api.dashboard=true

      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint=true
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.web.http.redirections.entrypoint.permanent=true

      - --entrypoints.websecure.address=:443

      - --entrypoints.localsecure.address=:444

      - --certificatesresolvers.letsencrypt.acme=true
      - --certificatesresolvers.letsencrypt.acme.email=pim@kunis.nl
      - --certificatesresolvers.letsencrypt.acme.storage=/acme/acme.json
      - --certificatesresolvers.letsencrypt.acme.httpchallenge=true
      - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web

      - --serversTransport.insecureSkipVerify=true